3CX In The Wild

2023-04-03 • Threat Radar •

https://threatradar.net/wp-content/uploads/2023/04/3CX.pdf

#SupplyChain #3CXDesktopApp #SmoothOperator

Attachments

CrowdStrike and SentinelOne observed a 3CXDesktopApp software supply-chain compromise in which an actor believed to be affiliated with Lazarus inserted malicious code into official Windows and macOS builds. On Windows, the signed 3CX MSI installed 3CXDesktopApp.exe, which side-loaded a backdoored ffmpeg.dll and loaded d3dcompiler_47.dll containing an RC4-encrypted second-stage payload. The second stage downloaded an icon file from GitHub, decrypted data appended to it, and recovered the C2 URL https[:]//glcloudservice[.]com/v1/console for HTTPS communications. The final payload is described as an infostealer capable of collecting system information and browser data such as saved credentials from browsers including Brave and Chrome, making the compromise high-impact because trusted update infrastructure exposed many downstream users.

Indicators of Compromise

Type	Value	First Seen	Last Seen
DOMAIN	visualstudiofactory.com	2023-03-29	2024-09-09
DOMAIN	akamaitechcloudservices.com	2023-03-29	2024-09-09
DOMAIN	msedgepackageinfo.com	2023-03-29	2024-09-09
DOMAIN	msstorageazure.com	2023-03-29	2024-09-09
DOMAIN	azureonlinestorage.com	2023-03-29	2024-09-09
DOMAIN	zacharryblogs.com	2023-03-29	2024-09-09
DOMAIN	officestoragebox.com	2023-03-29	2024-09-09
DOMAIN	pbxphonenetwork.com	2023-03-29	2024-09-09
DOMAIN	sourceslabs.com	2023-03-29	2024-09-09
DOMAIN	officeaddons.com	2023-03-29	2024-09-09
DOMAIN	glcloudservice.com	2023-03-29	2024-09-09
DOMAIN	pbxcloudeservices.com	2023-03-29	2024-09-09
DOMAIN	azuredeploystore.com	2023-03-29	2024-09-09
DOMAIN	pbxsources.com	2023-03-29	2024-09-09
DOMAIN	msstorageboxes.com	2023-03-29	2024-09-09
URL	https://sbmsa.wiki/blog/_insert	2023-04-01	2024-01-01
DOMAIN	sbmsa.wiki	2023-04-01	2024-01-01
HASH	9e9a5f8d86356796162cee881c843cd…	2023-04-01	2023-06-29
HASH	769383fc65d1386dd141c960c997011…	2023-03-29	2023-06-29
DOMAIN	journalide.org	2023-03-29	2023-05-09
HASH	cad1120d91b812acafef7175f949dd1…	2023-03-29	2023-05-02
DOMAIN	akamaicontainer.com	2023-03-29	2023-04-28
DOMAIN	dunamistrd.com	2023-03-29	2023-04-28
DOMAIN	azureonlinecloud.com	2023-03-29	2023-04-28
URL	https://azureonlinestorage.com/…	2023-03-30	2023-04-05
URL	https://akamaitechcloudservices…	2023-03-30	2023-04-05
URL	https://pbxsources.com/exchange	2023-03-30	2023-04-05
URL	https://zacharryblogs.com/feed	2023-03-30	2023-04-05
URL	https://msstorageboxes.com/offi…	2023-03-30	2023-04-05
URL	https://msedgepackageinfo.com/m…	2023-03-30	2023-04-05
URL	https://azuredeploystore.com/cl…	2023-03-30	2023-04-05
URL	https://glcloudservice.com/v1/c…	2023-03-30	2023-04-05
URL	https://visualstudiofactory.com…	2023-03-30	2023-04-05
URL	https://officeaddons.com/techno…	2023-03-30	2023-04-05
URL	https://pbxcloudeservices.com/p…	2023-03-30	2023-04-05
URL	https://sourceslabs.com/downloa…	2023-03-30	2023-04-05
URL	https://msstorageazure.com/wind…	2023-03-30	2023-04-05
URL	https://officestoragebox.com/ap…	2023-03-30	2023-04-05
HASH	704db9184700481a56e5100fb56496ce	2023-04-03	2023-04-03
EMAIL	[email protected]	2023-04-03	2023-04-03
EMAIL	[email protected]	2023-04-03	2023-04-03
IPv4	16.0.0.9	2023-04-03	2023-04-03
HASH	cb01ff4809638410a531400a66376fa3	2023-03-31	2023-04-03
HASH	0eeb1c0133eb4d571178b2d9d14ce3e9	2023-03-30	2023-04-03
URL	https://msedgeupdate.net/Windows	2023-03-30	2023-04-03
URL	https://pbxphonenetwork.com/voip	2023-03-30	2023-04-03
DOMAIN	msedgeupdate.net	2023-03-30	2023-04-03
HASH	bf939c9c261d27ee7bb92325cc58862…	2023-03-29	2023-04-03
HASH	20d554a80d759c50d6537dd7097fed8…	2023-03-29	2023-04-03
HASH	82187ad3f0c6c225e2fba0c867280cc9	2023-03-29	2023-04-03